Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security, & Data Protection practice.
STATE & LOCAL LAWS & REGULATIONS
State Regulators Form Bipartisan Consortium for Privacy Issues: The California Privacy Protection Agency and the Attorneys General of California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon have created the Consortium of Privacy Regulators (the “Consortium”), a bipartisan consortium, to collaborate on various privacy issues. The seven states all have comprehensive privacy laws that are currently or will be in effect, and the Consortium will collaborate on the implementation and enforcement of their respective state laws. The Consortium will hold regular meetings not only to share expertise and resources, but also to coordinate efforts to investigate potential violations of applicable laws.
CPPA Issues Updated ADMT Proposed Rules and Opens Comment Period for Data Broker Deletion Mechanism Proposed Rules; California Governor Urges CPPA to Not Enact ADMT Proposed Rules: The California Privacy Protection Agency (“CPPA”), the regulatory authority charged with enforcing the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), has released a revised version of its proposed regulations on cybersecurity audits, risk assessments, and automated decision-making technology (“ADMT”). Among the notable modifications offered by the CPPA were to narrow the definition of ADMT, remove behavioral advertising from ADMT and risk assessment requirements, and reduce the kinds of evaluations that businesses would have to undertake when using ADMT. California’s Governor, Gavin Newsom, sent a letter to the CPPA, urging the agency not to enact the proposed regulations on ADMT, stating that the regulations “could create significant unintended consequences and impose substantial costs that threaten California’s enduring dominance in technological innovation.” In addition to the proposed ADMT regulations, the CPPA has progressed its rulemaking under the California Delete Act. The CPPA has opened the formal public comment period on its proposed regulations for the Delete Request and Opt-Out Platform. The Delete Act requires the CPPA to establish an accessible deletion mechanism to allow consumers to request the deletion of personal information from all registered data brokers through a single deletion request to the CPPA. The comment period will remain open until June 10, 2025.
Bill Introduced to Stop California CIPA Claims: The California Senate introduced S.B. 690, which aims to stop lawsuits for violations of the California Invasion of Privacy Act (“CIPA”) based on the use of cookies and other online tracking technologies. There has been a recent trend of class actions under CIPA, where plaintiffs claim that the use of cookies and tracking technologies on websites violates CIPA because such technologies facilitate wiretapping and constitute illegal pen registers or trap and trace devices. Not even businesses compliant with the CCPA that provide consumers with the ability to opt out of the sharing of personal information with providers of tracking technologies are immune from CIPA class actions. S.B. 690 would exempt online technologies used for a “commercial business purpose” from wiretapping and pen register or trap-and-trace liability. “Commercial business purpose” is defined as the processing of personal information in a manner permitted by the CCPA.
Arkansas’ Social Media Safety Act Struck Down; Arkansas Legislature Passes Amendments in Response: The U.S. District Court for the Western District of Arkansas held that the Arkansas’ Social Media Safety Act (“SMSA”), a law limiting minors’ access to social media platforms, was unconstitutional and granted a permanent injunction blocking SMSA from taking effect. The District Court held that SMSA violated the First Amendment because it did not meet the requisite standard of strict scrutiny. The District Court held that SMSA’s age verification requirements blocking minors’ access to social media platforms were not narrowly tailored to prevent minors from interacting online with predators and other harmful content. The District Court also found that SMSA was unconstitutionally vague, as it is not clear which of NetChoice’s members are subject to SMSA’s requirements, while SMSA regulates companies like Facebook and Instagram, it specifically exempts Google, WhatsApp, and Snapchat. In response to the District Court’s ruling, the Arkansas Legislature passed a new bill, S.B. 611, to amend SMSA to broaden the scope and applicability of SMSA to include additional online platforms, narrow the age of applicability to users under 16 (rather than 18), strengthen privacy protections for minor users, and add a private right of action for parents of minor users.
Connecticut Attorney General Issues Annual Report on Connecticut Data Privacy Act Enforcement: The Connecticut Attorney General released a new report detailing the actions it has taken to enforce the Connecticut Data Privacy Act (“CTDPA”). The report provides updates on: (1) the Connecticut Attorney General’s broader privacy and data security efforts; (2) consumer complaints received under the CTDPA to date; (3) several enforcement efforts highlighted in the Connecticut Attorney General’s initial report; (4) expanded enforcement priorities; and (5) recommendations for strengthening the CTDPA’s protections. While the Connecticut Attorney General seems to remain focused on enforcing the CTDPA’s transparency requirements (i.e., disclosures to be included in privacy notices) and requirements to obtain opt-in consent to process sensitive data, it seems to also have broadened its efforts to address opt-out practices and dark patterns. The Connecticut Attorney General’s priorities have further expanded as the CTDPA’s universal opt-out provisions became effective and new legislation related to minors’ privacy and consumer health data took effect.
Oregon Attorney General Reports Spike in Complaints on Use of Personal Data by Government Entities: The Oregon Department of Justice’s (“ODOJ”) Privacy Unit reported a big spike in the first three months of 2025 in complaints about the Department of Government Efficiency (“DOGE”). As of March 31, 2025, the Privacy Unit reports it received more than 250 complaints about DOGE. In addition to the DOGE complaints, the Privacy Unit received 47 complaints between January and March of this year relating to the Oregon Consumer Privacy Act (“OCPA”). In addition, ODOJ announced the publication of a 2025 Quarter 1 Enforcement Report, which addresses outreach and enforcement efforts of the OCPA from January 1 to March 31, 2025, and identifies broad privacy trends in Oregon. ODOJ previously issued a Six-Month Enforcement Report, which addressed enforcement efforts for the first six months of the OCPA. ODOJ plans to continue to issue these reports quarterly, with a longer report published every six months.
Ohio’s Age Verification Law Struck Down: The U.S. District Court for the Western District of Arkansas struck down Ohio’s Social Media Parental Notification Act, which required social media companies to verify user age and obtain parental consent for users under 16. NetChoice, a technology industry trade group that has challenged a number of recently enacted social media laws around the country on constitutional grounds, including Arkansas’ SMSA, alleged that the act violated the First Amendment. The District Court agreed and held that the law’s age verification requirement blocking minors’ access to social media is not narrowly tailored to protect children from the harms of social media. The District Court also held that the law’s definitions for which websites had to comply with the law were a content-based restriction because it favored some forms of engagement with certain topics to the exclusion of others.
California Attorney General Appeals Age-Appropriate Design Code Act Decision: As previously reported, NetChoice obtained a second preliminary injunction temporarily blocking the enforcement of the California Age-Appropriate Design Code Act (“AADC”). The California Attorney General has appealed this decision, stating that it is “deeply concerned about further delay in implementing protections for children online.” The AADC would place extensive new requirements on websites and online services that are “likely to be accessed by children” under the age of 18. NetChoice won its first preliminary injunction in September 2023 on the grounds that the AADC would likely violate the First Amendment. In April 2025, NetChoice’s motion for preliminary injunction was again granted on the grounds that the AADC regulates protected speech, triggering a strict scrutiny review, and while California has a compelling interest in protecting the privacy and well-being of children, this interest alone is not sufficient to satisfy a strict scrutiny standard.
FEDERAL LAWS & REGULATIONS
DOJ Issues Data Security Program Compliance Guide and FAQ; Provides 90 Day Limited Enforcement Policy: The National Security Division of the U.S. Department of Justice (“DOJ NSD”) released a compliance guide and FAQ as part of its implementation of its final rule on protecting Americans’ sensitive data from foreign adversaries (the “Final Rule”). The compliance guide is intended to provide general information to assist individuals and entities in complying with the Final Rule’s legal requirements and to facilitate an understanding of the scope and purposes of the Final Rule. The FAQ answers 108 questions regarding Final Rule topics such as the definition of sensitive personal data, prohibited and restricted transactions, and scope of the Final Rule’s application to certain corporate group transactions, among other topics. Concurrently, the DOJ NSD issued a limited enforcement policy through July 8, 2025. Under the limited enforcement policy, the DOJ NSD stated that it will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time. NSD stated it will pursue penalties and other enforcement actions as appropriate for egregious, willful violations and is not limited in pursuit of civil enforcement if good faith compliance efforts, such as reviewing data flows, conducing data inventories, renegotiating vendor agreements, transferring services to new vendors, and conducting diligence on new vendors, are not undertaken.
FTC Sends Letter to Office of U.S. Trustee Regarding 23andMe Bankruptcy: Federal Trade Commission (“FTC”) Chairman Andrew N. Ferguson issued a letter to the U.S. Trustee regarding the 23andMe bankruptcy proceeding, expressing the concerns consumers have with the potential sale or transfer of their 23andMe data. The letter emphasizes the fact that the data 23andMe collects and processes is extremely sensitive, and highlights some of the public-facing privacy and data security-related representations the company has made. Chairman Ferguson urges the U.S. Trustee to ensure that any bankruptcy-related sale or transfer involving 23andMe users’ personal information and biological samples will be subject to the representations the company has made to users about both privacy and data security.
OMB Issues Memoranda on Federal Government Purchase and Use of AI: The U.S. Office of Management and Budget (“OMB”) issued memoranda providing guidance on federal agency use of AI and purchase of AI systems. The guidance in the memoranda builds on Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence, signed by President Trump in January. The memorandum fact sheet states, “The Executive Branch is shifting to a forward-leaning, pro-innovation and pro competition mindset rather than pursuing the risk-averse approach of the previous administration.” Notwithstanding that characterization, the guidance does share many risk management and performance tracking concepts included in Biden administration directives. The guidance describes how to manage “high-impact” AI, which is defined as AI where the output serves as a principal basis for decisions or actions that have legal, material, binding, or significant effect on AI rights or safety. There are several examples of high-impact AI in the guidance, including enforcement of trade policies, safety functions for critical infrastructure, transporting chemical agents, certain law enforcement activities, and when protected speech is removed. Environmental impacts and algorithmic bias are not mentioned. However, the guidance directs agencies to use AI in a way that improves public services while maintaining strong safeguards for civil rights, civil liberties, and privacy.
States’ Attorneys General Challenge the Firing of FTC Commissioners: A coalition of 21 Attorneys General (the “Coalition”) supported two FTC Commissioners in challenging the decision by President Trump to fire them without cause. Led by the Colorado Attorney General, the Coalition filed an amicus brief in Slaughter v. Trump, emphasizing the important role the FTC has played in consumer protection and antitrust. The Coalition stated that the strong track record of the FTC is due in large part to the bipartisan structure of the FTC’s leadership and that “[a]llowing the president to have at-will removal authority would ruin the FTC’s independence by allowing the commission to become a partisan agency subject to the political whims of the president.”
NIST Releases Initial Draft of New Version of Incident Response Recommendations: The U.S. Department of Commerce National Institute of Standards and Technology (“NIST”) released the initial public draft of Special Publication 800-61 Rev. 3 (“SP 800-61”) for public comment. SP 800-61 is designed to assist organizations in incorporating cybersecurity incident response considerations throughout NIST Cybersecurity Framework 2.0 risk management activities to improve the efficiency and effectiveness of their incident detection, response, and recovery activities. The public comment period is open through May 20, 2025.
NIST Releases Initial Public Draft of Privacy Framework 1.1: NIST released a draft update to the NIST Privacy Framework (“PFW”). Updates include targeted changes to the content and structure of the NIST PFW to enable organizations to better use it in conjunction with the NIST Cybersecurity Framework, which was updated to version 2.0 in 2024 (“CSF 2.0”). The PFW’s draft update makes targeted changes to align with CSF 2.0, with a focus on the Govern Function (i.e., risk management strategy and policies) and the Protect Function (i.e., privacy and cybersecurity safeguards). The new draft also includes changes responsive to stakeholder feedback since the initial release of the PFW five years ago. The draft PFW also includes a new section on AI and privacy risk management and moves PFW use guidelines online. NIST is accepting comments on the draft through June 13, 2025.
FCC Delays Part of TCPA Rule Amendments: The Federal Communications Commission (“FCC”) announced that it was extending the effective date of one part of the amendments to the Telephone Consumer Protection Act (“TCPA”) rules the FCC released last year. The delayed amendments were initially set to become effective April 11, 2025, and relate to consumers’ revocation of consent. Amendments to C.F.R. § 64.1200(a)(10) were designed to make it easier for consumers to revoke consent under the TCPA by requiring callers to apply a revocation request received for one type of message to all future calls and texts. However, in response to industry comments, the FCC extended the effective date of C.F.R. § 64.1200(a)(10) until April 11, 2026, “to the extent that it requires callers to apply a request to revoke consent made in response to one type of message to all future robocalls and robotexts from that caller on unrelated matters.” The remaining portions of the amended rule went into effect on April 11, 2025.
U.S. LITIGATION
Fifth Circuit Vacates FCC Telecommunications Provider Fine: The Fifth Circuit vacated the $57 million fine imposed on AT&T by the FCC in 2024, which was part of a number of FCC enforcement actions issued concurrently by the FCC against major carriers related to the sale of geolocation data to third parties. All carriers have appealed the fines. AT&T argued that the penalty should be vacated in part because the FCC imposed sanctions without proving the allegations in court. Following the U.S. Supreme Court decision in U.S. Securities and Exchange Commission v. Jarkesy, in which the Supreme Court limited use of government agency courts and held that when the Securities Exchange Commission seeks civil penalties against a defendant for securities fraud, the Seventh Amendment entitles the defendant to a jury trial. The FCC argued that its enforcement action was rooted in Section 222 of the Telecommunications Act, which does not have roots in common law, and that, therefore, the Seventh Amendment right to a jury trial is inapplicable. However, the Fifth Circuit determined that Section 222’s requirement to use reasonable measures to protect consumer data is analogous to common law negligence. The Court stated that it was not denying the FCC’s right to enforce laws to protect customer data, but that the FCC must do so consistent with constitutional guarantees of a jury trial.
Illinois Federal Judge Reverses Prior Ruling on Retroactive Application of BIPA Amendments: In two cases before U.S. District Court Judge Elaine Bucklo, Judge Bucklo vacated her prior rulings that Illinois’ Biometric Information Privacy Act (“BIPA”) amendments passed by the Illinois legislature applied retroactively, stating that upon her reexamination of the issue she concluded that the “better interpretation of the amendment is that it changed the law” rather than clarified the initial intent of the legislature when it first passed BIPA. The Illinois Legislature amended BIPA in 2024 to provide that a company that collects a person’s biometric information multiple times in the same manner has committed only one violation of the law. Previously, the Illinois State Supreme Court held that each instance of collection constituted a violation supporting a claim for damages, resulting in potentially extreme liability for companies using biometric systems for business purposes such as timekeeping, where employees might clock in and out by scanning biometric identifiers multiple times per day. Judge Bucklo’s new ruling aligns with those of two other Illinois federal district courts. The plaintiffs will now be permitted to pursue their claims under the statute as it existed at the time of the alleged violations.
Pennsylvania District Court Holds Online Privacy Terms Sufficient for Implied Consent Under State Wiretapping Law: The U.S. District Court for the Western District of Pennsylvania held that disclosure of third-party data collection in online privacy statements that can be seen by a reasonably prudent person is sufficient to obtain implied consent to that disclosure. Pennsylvania’s wiretapping statute prohibits any person from intercepting a wire, electronic, or oral communication unless all parties have provided consent to interception. The website in question, operated by Harriet Carter Gifts, disclosed that the business tracked and shared website visitors’ activity with third parties. The privacy statement was available via a link at the bottom of each page of the website. According to the Court, the description of sharing data with third parties in the privacy statement combined with the reasonable availability of the privacy statement provided the plaintiff with constructive notice of the practice of sharing data with third parties and resulted in the plaintiff providing implied consent to such sharing, despite the fact that the plaintiff testified she had never read the privacy statement.
Sixth Circuit Holds Newsletter Subscribers Are Not Consumers Under VPPA: The Sixth Circuit affirmed the dismissal of a proposed class action brought by a plaintiff who had subscribed to a digital newsletter from Paramount Global’s 24/7 Sports. The plaintiff alleged that the subscription qualified him as a “consumer” under the Video Privacy Protection Act (“VPPA”) because the newsletter contains links to video content, making the newsletter “audiovisual materials” subject to the VPPA. The Court rejected this argument, stating that the complaint suggests that the linked video content was available to anyone with or without a newsletter subscription and that the plaintiff did not plausibly allege that the newsletter itself was “audiovisual material.” The Court noted that its reading of the VPPA differed from the Second and Seventh Circuits, which have held that the term “consumer” under the statute should encompass any purchaser or subscriber of goods or services, whether audiovisual or not. U.S. Circuit Judge Rachel S. Bloomekatz dissented, stating that the plaintiff is a “consumer” under the VPPA because he is a subscriber of Paramount, which is a “videotape service provider.”
Ninth Circuit Rules VPPA Not Applicable to Movie Theaters: The Ninth Circuit affirmed a District Court’s dismissal of an action against Landmark Theaters (“Landmark”), holding that the Video Privacy Protection Act (“VPPA”) does not apply to in-theater movie businesses. The plaintiff had purchased a ticket on Landmark’s website. As part of that purchase, the plaintiff alleged that Landmark shared the name of the film, the location of the showing, and the plaintiff’s unique Facebook identification number with Facebook. The VPPA prohibits “video tape service providers” from knowingly disclosing personally identifiable information of a consumer without consent. “Video tape service provider” is defined under the VPPA as “any person, engaged in the business .. of rental, sale, or delivery of prerecorded video cassette tapes or similar audiovisual materials.” The Court held that the plain language of the statute and the law’s statutory history did not support a finding that selling tickets to an in-theater movie-going experience is a business subject to the VPPA.
U.S. ENFORCEMENT
Defense Contractor Settles FCA Allegations Related to Cybersecurity Compliance: The U.S. Department of Justice (“DOJ”) announced a settlement with defense contractor Morsecorp Inc. (“Morse”) resolving allegations that Morse violated the False Claims Act (“FCA”) by failing to comply with cybersecurity requirements in its contracts with the Army and Air Force. The DOJ alleged that Morse failed to comply with contract requirements by, among other things, using a third party to host Morse emails without requiring or ensuring that the third party met Federal Risk and Authorization Management Program Moderate baseline and complied with the Department of Defense’s cyber security requirements, failing to implement all cybersecurity controls in NIST Special Publication 800-171 (“SP 800-171”), failing to have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems, and failing to update its self-reported score for implementation of the requisite NIST controls following receipt of an updated score from a third party assessor. Morse has agreed to pay $4.6 million to resolve the allegations.
New York Attorney General Fines Auto Insurance Company over Data Breach: The Office of New York Attorney General Letitia James announced that it had fined auto insurance company Root $975,000 for failing to protect personal information following a breach that affected 45,000 New York residents. Root allows consumers to obtain a price quote for insurance through its website. After entering limited personal information, the online quote tool filled in other personal information such as driver’s license numbers. The Attorney General alleges that Root exposed plaintext driver’s licenses in a PDF generated at the end of the quote process and that Root had failed to perform adequate risk assessments on its public-facing web applications, did not identify the plain text exposure of consumer personal information, and employed insufficient controls to thwart automated attacks. In addition to the fine, the settlement requires Root to enhance its data security controls by maintaining a comprehensive information security program that uses reasonable authentication procedures for access to private information and the maintenance of logging and monitoring systems, among other things.
New Jersey Attorney General Sues Messaging App for Failing to Protect Kids: New Jersey Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced it had filed a lawsuit against message app provider Discord, Inc. (“Discord”) alleging Discord engaged in “deceptive and unconscionable business practices that misled parents about the efficacy of its safety controls and obscured the risks children faced when using the application.” According to the complaint, Discord violated the New Jersey Consumer Fraud Act by misleading parents and kids about its safety settings for direct messages. For example, Discord allegedly represented that certain user settings related to its safe direct messaging setting would cause the app to scan, detect, and delete direct messages for explicit media content. According to the Attorney General, Discord knew that not all explicit content was being detected or deleted. The complaint also alleges that Discord misrepresented its policy of not permitting users under the age of 13 because of its inadequate age verification processes.
HHS Enters Settlement with Healthcare Network over Phishing Attack that Exposed PHI: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with PIH Health, Inc. (“PIH Health”), a California healthcare network, relating to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) arising from a phishing attack that exposed protected health information. The phishing attack compromised 45 PIH Health employee email accounts, which resulted in the breach of 189,763 individuals’ protected health information, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information. OCR alleges that PIH Health failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH Health, and failed to provide timely notification of the breach. Under the terms of the settlement, PIH Health will implement a corrective action plan that will be monitored by OCR for two years and pay a $600,000 fine.
INTERNATIONAL LAWS & REGULATIONS
Cyberspace Administration of China Publishes Q&A on Cross-Border Data Transfers: The Cyberspace Administration of China (“CAC”) published a Q&A on cross-border data transfer policies and requirements for organizations. The Q&A is intended to provide guidance on government administrative policies. China’s regulations on cross-border data transfer require one of three mechanisms to be used if personal data or important data is transferred. Those mechanisms are a regulator-led security assessment, standard contractual clauses, and certification. The Q&A lists several common types of low risk data transfers that are not required to comply with one of the transfer mechanisms, including data related to international trade, cross-border transportation, academic collaborations, and cross-border manufacturing/sales if no important data or personal information is involved and nonsensitive personal information, totaling fewer than 100,000 individuals since 1 Jan. of the current year by noncritical information infrastructure operators. The Q&A also provides additional detail on assessing the necessity of personal data transfer and describes administrative processes available for obtaining clearance for data transfers on a company group basis, among other things.
ICO Releases Anonymization Guidance: The United Kingdom Information Commissioner’s Office (“ICO”) released new guidance on anonymizing personal data to assist organizations in identifying issues that should be considered to use anonymization techniques effectively. The guidance discusses what is meant by anonymization and pseudonymization, how such techniques affect data protection obligations, provides advice on good practices for anonymizing personal data, and discusses technical and organizational measures to mitigate risks to individuals when organizations anonymize data. Among other things, the guidance explains that anonymization is about reducing the likelihood of a person being identified or identifiable to a sufficiently remote level and that organizations should undertake identifiability risk assessments to determine the likelihood of identification when undertaking anonymization efforts, among other recommended accountability and governance measures. The guidance also includes case studies to assist users in understanding the guidance concepts.
Office of the Privacy Commissioner of Canada Releases Guidance on Risk Assessment in Data Breach; Canada Announces First Phase of Cybersecurity Certification Program: The Office of the Privacy Commissioner of Canada (“Privacy Commissioner”) released an online tool to assist organizations in conducting a breach risk self-assessment. The tool guides users through a series of details of the breach to assess whether the circumstances create a real risk of significant harm and is required to be reported. Separately, the Government of Canada announced the first phase in the implementation of the Canadian Program for Cyber Security Certification (“CPCSC”). The CPCSC will establish a cyber security standard for companies that handle sensitive unclassified government information in defense contracting. The Canadian government stated that the CPCSC will be released in phases, with the first phase involving the release of a new Canadian industrial cyber security standard, opening the accreditation process, and introducing a self-assessment tool for level 1 certification to help businesses better understand the program before a wider rollout of the program in successive phases.
NOYB Files Complaint Against ChatGPT over Defamatory Hallucinations: Privacy advocacy organization NOYB has filed a complaint against ChatGPT stemming from false information about an individual provided by ChatGPT in response to a query. Specifically, the complaint alleges that when Norwegian user Arve Hjalmar Holmen queried ChatGPT to determine if it had any information about him, ChatGPT presented the complainant as a convicted criminal who murdered two of his children and attempted to murder his third son. NOYB further alleges that the fake story included real elements of his personal life, including the actual number and the gender of his children and the name of his hometown. The NOYB complaint alleges that the output is not an isolated incident and violates the EU General Data Protection Regulation, including Article 5(1)(d), which requires organizations to ensure the personal data they produce about individuals is accurate.
ICO Fines Company for Lax Cybersecurity Following Ransomware Attack: The ICO announced it has fined Advanced Computer Software Group Ltd. (“Advanced”) £3.07 million for cybersecurity failures relating to a ransomware incident in August 2022. Advanced provides information technology services to businesses, including in the healthcare industry. Hackers had gained access to Advanced systems via a customer account that did not have multi-factor authentication, leading to the disruption of UK National Health Service (“NHS”) operations. The personal information on 79,404 people was exfiltrated in the attack, including details of how to enter the homes of 809 individuals receiving home care. The ICO investigation concluded that Advanced did not have appropriate technical and organizational measures in place to protect personal data prior to the incident. The ICO noted that it reduced the initially proposed fine due to Advanced’s proactive engagement with law enforcement, the NHS, and other steps taken by Advanced to mitigate the risk to impacted individuals.
Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin also contributed to this article.